cyber enthusiast

Mr. Robot

Location

Description

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Enumeration

Mr. Robot is one of the few Hollywood productions that captured the spirit of the black hat hacker right. I wonder if this challenge can maintain that reputation. Let’s find out and let’s start with gathering some information about the target.

nmap -A -T4 -sV -p- 192.168.110.3

Looks like port 80 and 443 are open.

When I try the commands I feel a little bit like Neo and got to choose between the red pill and the blue pill. But then I’m want to scratch the layers and search inside the source code. Let’s start with the basics. Robots.txt gives me the first flag and a fsociety wordlist.

073403c8a58a1f80d943455fb30724b9

Looks like a md5 hash to me. Hash-identifier confirms it. But unfortunately it’s not a know hash.

WordPress

When running Dirb, I get a long list with directories. One of them is the WordPress login page.

I tried wpscan, but it couldn’t enumerate usernames. Also there weren’t a lot useful vulnerabilities to exploit. Time for some thinking and manual labor.

Looks like I have found an username. Let’s see if we can brute force the password of this account with the found wordlist. The wordlist contains 858160 words. That’s gonna take some time with brute force. Maybe I can trim it down a bit.

Getting a shell

That’s not gonna work. Because there is no way for me to change the permission on the format restriction, I choose another path. I’m gonna adjust a page.

Let’s take to top one and replace the code with a reverse shell code from pentestmonkey.

I’m in. Let’s grab a proper shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Inside the home directory there is a directory named robot which contained 2 files. One is the second flag and one contains the username ‘robot’ plus a hash. Looks like I need to crack this hash. Before using a time consuming tool, I check the hash with crackstation and it appears that it’s a known hash.